Malicious PDF — malware analysis report

Static analysis result for SHA-256 fcd7ea9fe503e8fa…

MALICIOUS

PDF

78.7 KB Created: 2021-02-18 23:12:21 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0b61a82c914126a6ec7b34643963a5e6 SHA-1: cec71f72242105be5cda05c31a7acabcb4b2a4ed SHA-256: fcd7ea9fe503e8fa9c28443812e8afe19a632c0a573d35996953a383605ac266
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains embedded URIs, with the primary one being 'https://bologen.ru/wix?keyword=harbor+breeze+ceiling+fan+remote+control+codes', which likely leads to a phishing or malicious site. The PDF structure and embedded content suggest it's designed to trick users into visiting these external links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bologen.ru/wix?keyword=harbor+breeze+ceiling+fan+remote+control+codes
    • https://cdn-cms.f-static.net/uploads/4496853/normal_5fda31e78aea4.pdf
    • https://cdn-cms.f-static.net/uploads/4374986/normal_601b4725840ad.pdf
    • http://bigchance.pw/dewukavsyjgl.pdf
    • https://cdn-cms.f-static.net/uploads/4465144/normal_601f1af3e845a.pdf
    • http://youla-24.cc/chemistry_mcgraw_hill0uyvx.pdf
    • https://cdn.sqhk.co/wixumenez/gjJjgji/digital_marketing_jobs_salary_in_chennai.pdf
    • http://trokot-new.online/android_emulator_for_linux_2018amqd2.pdf
    • http://bostpolamos.site/mxr_bass_compressordz10w.pdf
    • http://my-favshope.online/34257302451yz63r.pdf
    • https://static.s123-cdn-static.com/uploads/4459785/normal_5fef5fe12053f.pdf
    • http://8gusevshop.space/pibadojakenuq5h57.pdf
    • https://cdn.sqhk.co/rabuvimi/kUckgfa/crash_team_racing_nitro_fueled_pc_kuyhaa.pdf
    • https://cdn.sqhk.co/kavejufa/6Dnjaia/costco_sales_booklet_february_2020.pdf
    • https://static.s123-cdn-static.com/uploads/4479235/normal_5fc71754b1805.pdf
    • http://kowesaxulenim.22web.org/stunning_powerpoint_templates.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://demujub.rf.gd/73564988076.pdf
    • http://zikukoji.epizy.com/bilejonukitazotuwinuzete.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f815.bin
59b091d7efc60146a4510d320e463a6ca1cf81e35bc64db5f7dd35089c1eef68		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF815 5492 bytes
font_01_sfnt_off00010ab4.bin
33fed28fd4b06904e9c9b77c4811a071de8e8e830df5f51c33c12b7f1ea375ed		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10AB4 10088 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.